September 17, 2012

You could be forgiven for thinking that the seminal law underpinning U.S. healthcare reform has been aggressively enforced. Alas, most within the healthcare industry have wondered when the federal government would begin taking HIPAA's most blatent offenders to the woodshed. If ever. But action this week by the HHS Office for Civil Rights suggests that the government may begin pursuing violations in earnest.

HHS has announced that Massachusetts Eye and Ear Infirmary (MEEI) and its physician group, Massachusetts Eye and Ear Associates, agreed to pay $1.5 million to settle HIPAA security-rule violations. The case involves the theft of a laptop computer storing 3,621 patient records, and HHS' allegation that MEEI and the physicians not only failed to secure data on the laptop but also failed to comply with other HIPAA security requirements. According to the Office for Civil Rights brief, MEEI failed to execute “thorough analysis of the risk to the confidentiality” of provate patient information stored on the laptop and had not adopted and implemented "policies and procedures to restrict access to ePHI [electronic protected health information] to authorized users of portable devices.”

The initial installment of $500,000 is set to be paid to the government on October 15, with two subsequent payments scheduled through 2014. The offenders will also have to submit to independent monitoring of a "corrective action plan" twice a year for three years. Read the Resolution Agreement here.